How to generate the dh file:
openssl dhparam -check -text -5 512 -out dh512.pem
That's mentioned in our FAQ:
http://redmine.emweb.be/projects/wt/wiki/Frequently_Asked_Questions#Q-How-do-I-use-the-built-in-HTTPS-server-in-wthttpd
For the rest of your question, I have no experience with startssl, and I
don't know what type of certificate is required for client certificates to
work. What I can tell you, is that from a short read on the net, their free
server certificate would be ok for the server.
About your configuration:
This is wrong: ssl-ca-certificates=/etc/ssl/certs/www.wittywizard.org.crtbecause
that filename does not suggest that it contains the root CA
certificate. If you're using client certificates from startss, this should
contain startssl's root CA, which is apparently
https://www.startssl.com/certs/ca.cer.
I don't know the companies/certificates that you mention, so I can't
comment on their suitability. Does startssl offer client certificates too?
BR,
Wim.
2014-02-12 19:21 GMT+01:00 Jeffrey Scott Flesher Gmail <
[email protected]>:
> Yes, I do understand the deal with Browser Certificate, I did install
> one from StartSSL, the Free one, my guess is that this one should have
> worked, whereas the Self-signed may not as you pointed out, I will defer
> this question until I get another public server up, and install a real
> Certificate for it, but I still need to know which one to get.
>
> I think installing this on a local machine may be problematic at best, but
> what I would like to see in the README.md is detailed instructions on how
> to do this properly so there is no need to ask questions about this like I
> am doing now, I am sure others ran into this problem as well.
>
> The thing that is throwing me is the error: Error (asio): use_tmp_dh_file:
> no start line, I get it from the command line or Qt Creator, I am using the
> command line:
> ./SslClientAuth --docroot . --http-address 0.0.0.0 --http-port 8080
> --https-address=0.0.0.0 --https-port=4430
> --ssl-certificate=/etc/ssl/certs/www_wittywizard_org_ssl.crt
> --ssl-private-key=/etc/ssl/private/www_wittywizard_org_nk_ssl.key
> --ssl-tmp-dh=/etc/ssl/certs/www_wittywizard_org_ssl.pem --ssl-enable-v3
> --ssl-client-verification=required --ssl-verify-depth=15
> --ssl-ca-certificates=/etc/ssl/certs/www_wittywizard_org_ssl.crt
>
> I am using the Free StartSSL certificate with the Browser Certificate
> installed, the only deviation I took was making a decrypted private key,
> but I used their tools to do it, then created the pem file like this:
> cat /etc/ssl/private/www_wittywizard_org_nk_ssl.key
> /etc/ssl/certs/www_wittywizard_org_ssl.crt >
> /etc/ssl/certs/www_wittywizard_org_ssl.pem
> I cat'd the No Key private key with the crt.
>
> Things I need to clear up:
> ssl-ca-certificates=/etc/ssl/certs/www.wittywizard.org.crt and
> ssl-certificate=/etc/ssl/certs/www_wittywizard_org.crt, I have them being
> the same file, but this makes no sense, but the ones I down loaded from
> StartSSL are mostly pem files, the only crt file is the one you have to
> make manually.
>
> The error is the pem file, my understanding about it, is that its a
> combination of certificates, but even using the ca-bundle.pem that came
> with StartSSL, gets the same error.
>
> If I use the private key from StartSSL I get prompted for a password, then
> I get the same error after that.
>
> Does StartSSL's <https://www.startssl.com/?app=39> free Certificate work
> with this example would be my next question, I did try every pem file I
> downloaded, and there are 10 of them, and if I purchase one, is their
> Certificate for $59
> or
> https://www.namecheap.com/security/ssl-certificates/domain-validation.aspxPositiveSSL
> Multi-Domain for $29.88
> work?
>
> I am going for the Multi-Domain, because this will be a CMS with multiple
> domains, which brings up a good question as to how that will work, since I
> don't want a cert for one site working for another, but this should not be
> the case, since its URL specific, and I will still want to authenticate
> using the Local Users root user, which I still don't know if your Auth will
> handle that.
>
> At this point I just need to know what to do to get this example working,
> sense I plan to use it in the Witty Wizard CMS, but I also need to find the
> easiest and cheapest way to do this for all the users.
>
> The Idea is to use this for a CMS with multiple domains, but only use it
> to get into the admin section so you can log in with the local user
> account, so its a double security measure, because in this CMS, I want to
> run root level commands to control the server or local machine, depending
> on where its installed.
>
> Are you saying a Self-Signed Certificate will not work?
>
> Thanks
>
>
> On Wed, 2014-02-12 at 10:14 +0100, Wim Dumon wrote:
>
> Hello Jeffrey,
>
> Are you aware that client and server certificates are two very different
> things? The example you're trying expects client certificates, but in your
> command descriptions you only talk about the server certificates, not about
> what you do with the browser. This cannot work. Client certificates are
> installed in the browser (or on a smartcard connected to the browser).
>
>
> The client example can e.g. be used to authenticate a user based on his
> ID card (in Belgium, all ID cards are smart cards that have a government
> signed authentication certificate on them).
>
>
> Is that what you plan to do?
>
>
>
> From the top of my head, the procedure is about this (assuming you want
> to be your own CA):
>
> - generate a root CA
>
> - generate a authentication certificate for a user
>
> - generate a signing request for the authentication certificate
>
> - sign authentication certificate with root CA private key
>
> - install root CA public key as trusted root CA in the browser or the
> operating system
>
> - copy the root CA public key also to the server; make wt aware of it
> using option ssl-ca-certificates
>
> - install private key of the authentication certificate in your browser
>
> - generate a proper SSL certificate for your server. Self-signed
> certificates will not work, but you have a root CA now that you can use.
>
>
> The whole procedure is quite tricky. In my experience, the browser will
> not successfully authenticate itself unless you get the trust chain of each
> piece of this puzzle right.
>
>
>
> BR,
> Wim.
>
>
>
>
>
>
> Best regards,
> Wim.
>
>
>
>
> 2014-02-11 Jeffrey Scott Flesher Gmail <[email protected]>:
>
>
> Q: How did you create your client certificate?
> A: I used this script to create the Cert:
>
> chmod 755 /etc/ssl/private/www_wittywizard_org_ssl.key
> chmod 755 /etc/ssl/private/www_wittywizard_org_nk_ssl.key
> openssl req -new -newkey rsa:2048 -nodes -out www_wittywizard_org_ssl.csr
> -keyout www_wittywizard_org_ssl.key -subj
> "/C=US/ST=Oregon/L=Terrebonne/O=Witty Wizard/CN=www.wittywizard.org"
> openssl x509 -req -days 365 -in www_wittywizard_org_ssl.csr -signkey
> www_wittywizard_org_ssl.key -out www_wittywizard_org_ssl.crt
> cp -f www_wittywizard_org_ssl.crt
> /etc/ssl/certs/www_wittywizard_org_ssl.crt
> cp -f www_wittywizard_org_ssl.key
> /etc/ssl/private/www_wittywizard_org_ssl.key
> cp -f www_wittywizard_org_ssl.key
> /etc/ssl/private/www_wittywizard_org_nk_ssl.key
> cat www_wittywizard_org_ssl.key www_wittywizard_org_ssl.crt >
> /etc/ssl/certs/www_wittywizard_org_ssl.pem
> chmod 400 /etc/ssl/private/www_wittywizard_org_ssl.key
> chmod 400 /etc/ssl/private/www_wittywizard_org_nk_ssl.key
>
> Note: www_wittywizard_org_nk_ssl.key was used when I signed it with a
> password, otherwise www_wittywizard_org_ssl.key are the same.
> I did this to use the certs I created at StartSSL.com, so I created a
> signed key, then decrypted it, then I cat'd them as in above, so I did not
> get the message to enter password
>
> Q: how did you add it to your browser?
> A: I am running it from Qt Creator so I add it to the run argument
> --docroot . --http-address 0.0.0.0 --http-port 8080
> --https-address=0.0.0.0 --https-port=4430
> --ssl-certificate=/etc/ssl/certs/www_wittywizard_org_ssl.crt
> --ssl-private-key=/etc/ssl/private/www_wittywizard_org_nk_ssl.key
> --ssl-tmp-dh=/etc/ssl/certs/www_wittywizard_org_ssl.pem --ssl-enable-v3
> --ssl-client-verification=required --ssl-verify-depth=15
> --ssl-ca-certificates=/etc/ssl/certs/www_wittywizard_org_ssl.crt
>
> then I did an https://localhost:4430, but I get the below error, so the
> service is never started
>
> Q: Did you also add your CA root certificate to the browser?
> A: Yes and No
> I did with the ones I created at StartSSL.com, but I did not for the
> self-signed, since I can not get the browser to start up, I get an error:
> *(asio) use_tmp_dh_file: no start line*
>
> Notes:
> --ssl-ca-certificates and --ssl-certificate are the same, are they suppose
> to be?
>
> There should be detailed instructions on how to do this in the read me
> file, do not assume everyone knows how to do this right the first time.
>
>
>
> On Mon, 2014-02-10 at 11:51 +0100, Wim Dumon wrote:
>
> Hi Jeffrey,
>
>
> Client SSL certificates for authentication does not require apache.
>
>
>
> How did you create your client certificate, and how did you add it to your
> browser? Did you also add your CA root certificate to the browser?
>
>
> Best regards,
> Wim.
>
>
>
>
> 2014-02-01 Jeffrey Scott Flesher Gmail <[email protected]>:
>
> Do you need to have Apache setup on the Machine if you are only use
> wt-httpd in the methods in your example SSLClientAuth?
>
> I have setup a Self Signed Cert, I am using QtCreator with the run command:
> --docroot . --http-address 0.0.0.0 --http-port 8080 --ssl-certificate
> /etc/httpd/conf/server.crt --ssl-private-key /etc/httpd/conf/server.key
> --ssl-tmp-dh=projects/ssl/dh512.pem --ssl-enable-v3
> --ssl-client-verification=required --ssl-verify-depth=15
> --ssl-ca-certificates=/etc/httpd/conf/server.crt
>
> Note: I do not have ssl-tmp-dh, nor do I know if its required, but same
> results without it, in fact, same with just --docroot . --http-address
> 0.0.0.0 --http-port 8080,
> which makes me wonder if I am doing this right.
>
> I used this script to create the Cert:
> cd /etc/httpd/conf/
> sudo openssl genrsa -out server.key 4096
> sudo chmod 600 server.key
> sudo openssl req -new -key server.key -out server.csr
> sudo openssl x509 -req -days 365 -in server.csr -signkey server.key -out
> server.crt
> and it checked out ok, so the paths to the cert are there and verified.
>
> I hit the code message:
> Not an SSL session, or no client certificate available. Please read the
> readme file in examples/feature/client-ssl-auth for more info.
>
> Then I tried to get more info by doing this:
> Wt::WValidator::Result results = sslInfo->clientVerificationResult();
> new Wt::WText("Not an SSL session, or no client certificate available.
> Please read the readme file in examples/feature/client-ssl-auth for more
> info." + results.message(), root());
> This didn't work, or its not the right way to do it, any clue which one?
>
> After a long recovery from being hit in the head by a Micro Meteorite, I
> am back to working on the Witty Wizard CMS,
> I do not want to have Apache installed for security reasons,
> I want to require a public/private Cert, but do not want it to bomb if its
> not there,
> but if it is, give the user a button to log in using the servers users,
> so I can log in as root, and run root commands from the web page,
> like Virtualmin or cPanel,
> so I can maintain the server from the CMS,
> so I was wondering if you have a function to authenticate using local
> users on the server its ran from?
>
> If this requires Apache, is there a workaround to make something like this
> work without?
>
> What I need is the most secure way to log in as root and run root commands.
>
> Thanks
>
>
>
>
> ------------------------------------------------------------------------------
> WatchGuard Dimension instantly turns raw network data into actionable
> security intelligence. It gives you real-time visual feedback on key
> security issues and trends. Skip the complicated setup - simply import
> a virtual appliance and go from zero to informed in seconds.
>
> http://pubads.g.doubleclick.net/gampad/clk?id=123612991&iu=/4140/ostg.clktrk
> _______________________________________________
> witty-interest mailing list
> [email protected]
> https://lists.sourceforge.net/lists/listinfo/witty-interest
>
>
>
>
>
> ------------------------------------------------------------------------------
> Managing the Performance of Cloud-Based Applications
> Take advantage of what the Cloud has to offer - Avoid Common Pitfalls.
> Read the
> Whitepaper.http://pubads.g.doubleclick.net/gampad/clk?id=121051231&iu=/4140/ostg.clktrk
>
> _______________________________________________ witty-interest mailing
> list [email protected]
> https://lists.sourceforge.net/lists/listinfo/witty-interest
>
>
>
> ------------------------------------------------------------------------------
> Android apps run on BlackBerry 10
> Introducing the new BlackBerry 10.2.1 Runtime for Android apps.
> Now with support for Jelly Bean, Bluetooth, Mapview and more.
> Get your Android app in front of a whole new audience. Start now.
> http://pubads.g.doubleclick.net/gampad/clk?id=124407151&iu=/4140/ostg.clktrk
> _______________________________________________
> witty-interest mailing
> [email protected]https://lists.sourceforge.net/lists/listinfo/witty-interest
>
>
>
> ------------------------------------------------------------------------------
> Android apps run on BlackBerry 10
> Introducing the new BlackBerry 10.2.1 Runtime for Android apps.
> Now with support for Jelly Bean, Bluetooth, Mapview and more.
> Get your Android app in front of a whole new audience. Start now.
>
> http://pubads.g.doubleclick.net/gampad/clk?id=124407151&iu=/4140/ostg.clktrk
> _______________________________________________
> witty-interest mailing list
> [email protected]
> https://lists.sourceforge.net/lists/listinfo/witty-interest
>
>
------------------------------------------------------------------------------
Android apps run on BlackBerry 10
Introducing the new BlackBerry 10.2.1 Runtime for Android apps.
Now with support for Jelly Bean, Bluetooth, Mapview and more.
Get your Android app in front of a whole new audience. Start now.
http://pubads.g.doubleclick.net/gampad/clk?id=124407151&iu=/4140/ostg.clktrk
_______________________________________________
witty-interest mailing list
[email protected]
https://lists.sourceforge.net/lists/listinfo/witty-interest
